Wednesday, March 6, 2013

Can't live with them, can't live without them

Passwords have been around for approximately forever, and despised for nearly that long. However, while great strides have been made in improving password-based authentication, these improvements are not a panacea, often come with maintenance costs of their own, and sometimes even serve as additional attack vectors. While we should keep striving to improve authentication, it is also important to recognize that passwords are not going away any time soon, to understand the drawbacks of existing password solutions, and to try to improve them.

Many of the best practices for passwords (prohibiting reuse, requiring unguessable passwords, being able to remember passwords) seem impossible without a password manager. Firefox has implemented a password manager since inception. The built-in password manager detects the presence of login form and prompts the user to store the password via a notification.
We use data from the same Test Pilot study as in the last post, this time focusing on password statistics. Approximately 5.5% of users have disabled the password manager, which is enabled by default. However, are the remaining 94.5% of users actually using the password manager with intent?

To answer this question, let's first examine the number of users who have stored at least one password in the password manager (as obtained by querying nsILoginManager for all logins). The graph below shows the distribution of the the number of passwords stored in password manager for users who have no more than 30 passwords. This graph represents 96% of the nearly 12K users in the study.
The graph above shows 73.4% of users store at least one password in the password manager, but it's not clear at all that this is not accidental use: after all, 13.9% of users store only a single password, and it is doubtful that a password manager is necessary or beneficial in the single password case. We can also take a look at the distribution of the number of sites stored in the password manager, for users who have no more than 30 sites stored. 


Interestingly, the site distribution has a slightly longer tail than the password distribution, so this graph represents only 89% of users. The shape of the graph is very similar, however, and lends credence to the hypothesis that much of the information stored in the password manager represents accidental use, if we believe that the password manager is not beneficial in the case of a single site.

Because this study did not collect how frequently the password manager triggered on login forms, we can't definitively conclude that users storing only one password represents accidental use. Alternative explanations, ranked in order of increasing possibility according to my personal prejudice:
  1. I only use this browser for work and I don't care about my work password.
  2. I have a secure, memorizable password scheme but can't remember the requirements for this one site.
  3. I only have one main password but it doesn't meet this one site's requirements.
Does this data hint at anything interesting about password reuse? Let's examine mean number of passwords stored versus the number of sites.
This graph represents 97.5% of users and omits 43 outliers who have more than 100 passwords stored. The vertical error bars represent the standard deviation from the mean. This graph falls far south of x=y, the ideal case of storing one password per site. So we can conclude that even while using a password manager, people still reuse passwords across sites.

This level of reuse is not necessarily due to user choice. For example, subdomains on the same intranet frequently require the same password, due to LDAP linkage. This in itself is not a security problem if the security guarantees are identical across subdomains. However, it is a problem when those intranets outsource services to outside vendors through LDAP, requiring password reuse at external parties. Note to future study authors: please include counts for effective TLDs in addition to domains in order to account for this case.

In summary, it seems that even though 94.5% percent of people have the password manager enabled, far fewer users gain any benefit from the password manager. Over the years I have heard the following arguments against using password managers:
  • I only use one password so I don't need one.
  • They don't work across all my devices.
  • They don't work across all my browsers.
  • I don't trust local password managers against local attacks.
  • I don't trust cloud password managers because I don't trust third parties.
The first argument is especially egregious, considering the combined forces of account hijacking, phishing, and password database hacks. The second two arguments can't be solved with a local password manager, or even a browser-specific password manager. The fourth argument can be solved somewhat with master password, but only 1 out of 12K users had master password enabled (security.ask_for_password in about:config), so either that feature is undiscoverable, unusable, or regarded as too insecure to be effective. It is clear from the data that not enough people take advantage of password managers. I look forward to further progress from the identity team to solve some of these issues.

Many thanks to Paul Sawaya and Tanvi Vyas for advice on this post, and to Paul for writing the code to capture password manager statistics.


11 comments:

  1. The reason the master password feature doesn't get used is that the main reason for having Firefox remember passwords is so that I don't have to type them in all the time. Having to enter a master password whenever I want to use a remembered password kind of defeats that goal...

    For what it's worth, I have about thirty passwords stored in my profile. Roughly a third are the default accounts for various developer environments (where the stored password is indeed 'password'), another third from real work-related servers (bug tracker, etc), and the last third are personal accounts on various internet services (e.g discussion forums).

    ReplyDelete
    Replies
    1. I found the same thing when I turned on the master password on Firefox.

      I use a cloud-based password manager that requires entering a master password once per session, which strikes me as the right balance. The Firefox password manager is due for a rewrite, and I hope that the next version isn't any more onerous than requiring a master password once per session.

      Delete
    2. Oh, and to elaborate, that means that the first group all use the same username/password as each other, since it's a default account created by scripts. The second group (my actual login) are also the same, since they represent a bunch of services using Active Directory authentication. The final group, needless to say, are all different passwords.

      Delete
    3. Actually, even using the Firefox Password Manager you only have to type in your password once per session. It would be totally annoying otherwise.

      Delete
  2. i use the password manager because its integrated, thus easier to use.

    However:

    -i don't save very important passwords in it, because I know that even with the master password, its not secure

    -the master password UI is TERRIBLE and I'm sure you know that.
    - it doesnt ALWAYS work. Sometimes, it doesnt ask to save the password, even with the js field tricks. Sometimes it doesnt show the password, even if there's only one available, until the login is typed in

    I think that's the reason why people use separate password managers, too (well, when they do).

    I wish the integrated one was a lot better, as it'd make my life a lot easier.
    I have about 200 password saved, i think.

    ReplyDelete
    Replies
    1. I don't understand not trusting your profile data because it's insecure. Anyone with physical access can perform much more powerful attacks, gain root, install keyloggers, all sorts of things.

      What do you use for your 200 passwords when you use a different browser, or a different machine? Do you somehow avoid doing that?

      Delete
    2. Security-wise, my biggest issue with the password manager is that it does not use key strengthening (see https://bugzilla.mozilla.org/show_bug.cgi?id=524403 ) so I have to use really long passwords. And how many user know the difference between offline and online password attacks and thus choose really strong master passwords.

      Delete
  3. The main issue with the password manager for me is that it is too finicky about what pages a stored password should work for. For example please, if I save my password for example.com, I may not get any password prefilled on example.com/login. If a site has multiple points of entry for signing in, and they are each implemented in a slightly different way, then Firefox will think that each point is a totally different site with different login credentials. As a result, the password manager will be filled with multiple redundant entries for the same site. The same happens when a site makes changes to its login system. Worse, it's hard to be sure that Firefox will have remembered your password the next time around. If it doesn't, you will need to break out the password manager dialogue (the only time I ever use that interface) and figure out which password it was that you used on that site (which takes more than a few clicks). As a result of this uncertainty, you will bedisinclined to use different passwords on each site.

    The obvious solution is to treat each domain (or subdomain) as one site. That way, every site has only one entry stored per login, and your password is always remembered properly. In other words, you can choose a totally random password and never have to worry about it again. But that is possible only if this issue is fixed.

    A related issue is that Firefox actually listens to sites that have autocomplete=off. So, if your credit cart company feels that you cannot be trusted with securing your Firefox profile, then Firefox will never remember your password on that site for you. That just makes Firefox seem unreliable with passwords (the problem I just described), and you end up using a simpler password with you credit card site just so you can remember it. Not only that, but you will use simpler passwords on other sites, just in case Firefox will inexplicably (if you don’t know about autocomplete=off, that is) not ask to remember them. I think Firefox should simply ignore this setting (and just possibly offer a warning).

    White were at it, just changing ‘password’ to ‘passphrase’ throughout the UI should also go a long way towards getting people to use more secure passwords.

    ReplyDelete
    Replies
    1. I agree with you about the form detection bugs and probably autocomplete as well.

      The problem with mapping all subdomains to the same site is when subdomains host user-generated content. Like docs.google.com, for example, or blogspot.com.

      Delete
    2. I actually have the issue the other way around. I use some services that are hosted under the same domain, but have distinct backgrounds and thus distinct passwords. The password manager quite often believes these sites to be the same :/

      I would prefer a UI where the passwords are not automagically filled in, but where I could press a button (next to the search bar?) to fill in the login data. It could become a dropdown if there are several passwords saved. Right clicking (/long clicking, etc) the button could allow access to the password manager options which are now buried like 10 clicks deep in the menu (okay, 5 or 6 to be precise).

      Delete
  4. Password managers could become (if already not) a security vulnerability to viruses (Trojans). Statistically they are not used for this specific reason. It;s a question of trust.

    ReplyDelete

Note: Only a member of this blog may post a comment.